Need help with 5GT config



  • I have a 5GT that I am having difficulty setting up the way I need.
    This is an issue with routing between two subnets, one on the LAN and the other on Wireless.
    I need both the LAN and wireless to get to the Internet and I need the wireless users to be able to browse the LAN.
    Please review the following config and make a recommendation.

    unset key protection enable
    set clock ntp
    set clock timezone -5
    set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
    set vrouter trust-vr sharable
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset auto-route-export
    exit
    set alg appleichat enable
    unset alg appleichat re-assembly enable
    set alg sctp enable
    set auth-server “Local” id 0
    set auth-server “Local” server-name "Local"
    set auth default auth server "Local"
    set auth radius accounting port 1646
    set admin name "XXXXXXXXXXXXXXXXXXXXXX"
    set admin password "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
    set admin user “norman” password “XXXXXXXXXXXXXXXXXXXXXX” privilege "all"
    set admin user “jperez” password “XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX” privilege "all"
    set admin auth web timeout 10
    set admin auth server "Local"
    set admin format dos
    set zone “Trust” vrouter "trust-vr"
    set zone “Untrust” vrouter "trust-vr"
    set zone “Wzone1” vrouter "trust-vr"
    set zone “VLAN” vrouter "trust-vr"
    set zone id 100 "wireless2"
    set zone “Untrust-Tun” vrouter "trust-vr"
    set zone “Trust” tcp-rst
    set zone “Untrust” block
    unset zone “Untrust” tcp-rst
    set zone “MGT” block
    set zone “Wzone1” tcp-rst
    unset zone “V1-Trust” tcp-rst
    unset zone “V1-Untrust” tcp-rst
    set zone “VLAN” block
    unset zone “VLAN” tcp-rst
    unset zone “wireless2” tcp-rst
    set zone “Untrust” screen tear-drop
    set zone “Untrust” screen syn-flood
    set zone “Untrust” screen ping-death
    set zone “Untrust” screen ip-filter-src
    set zone “Untrust” screen land
    set zone “V1-Untrust” screen tear-drop
    set zone “V1-Untrust” screen syn-flood
    set zone “V1-Untrust” screen ping-death
    set zone “V1-Untrust” screen ip-filter-src
    set zone “V1-Untrust” screen land
    set interface “trust” zone "Trust"
    set interface “wireless1” zone "Wzone1"
    set interface “wireless2” zone "Trust"
    set interface “untrust” zone "Untrust"
    set interface “adsl1” pvc 0 35 mux vc protocol bridged zone "Null"
    unset interface vlan1 ip
    set interface trust ip 192.168.124.56/24
    set interface trust nat
    set interface wireless2 ip 192.168.123.1/24
    set interface wireless2 nat
    set interface untrust ip 174.61.88.107/21
    set interface untrust nat
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface wireless2 manage-ip 192.168.123.2
    set interface trust ip manageable
    set interface wireless2 ip manageable
    set interface untrust ip manageable
    set interface trust manage mtrace
    set interface untrust manage ping
    set interface untrust manage web
    set interface untrust protocol igmp host
    set interface untrust protocol igmp enable
    set interface untrust dhcp client enable
    set interface trust dhcp server service
    set interface wireless2 dhcp server service
    set interface trust dhcp server auto
    set interface wireless2 dhcp server auto
    set interface trust dhcp server option lease 1440000
    set interface trust dhcp server option gateway 192.168.124.56
    set interface trust dhcp server option netmask 255.255.255.0
    set interface trust dhcp server option domainname hsd1.fl.comcast.net.
    set interface trust dhcp server option dns1 75.75.75.75
    set interface trust dhcp server option dns2 75.75.76.76
    set interface wireless2 dhcp server option lease 1440000
    set interface wireless2 dhcp server option gateway 192.168.123.1
    set interface wireless2 dhcp server option netmask 255.255.255.0
    set interface wireless2 dhcp server option domainname hsd1.fl.comcast.net.
    set interface wireless2 dhcp server option dns1 75.75.75.75
    set interface wireless2 dhcp server option dns2 75.75.76.76
    set interface wireless2 dhcp server option dns3 8.8.8.8
    set interface trust dhcp server ip 192.168.124.101 to 192.168.124.253
    set interface wireless2 dhcp server ip 192.168.123.50 to 192.168.123.200
    unset interface trust dhcp server config next-server-ip
    unset interface wireless2 dhcp server config next-server-ip
    set flow tcp-mss
    unset flow tcp-syn-check
    unset flow tcp-syn-bit-check
    set flow reverse-route clear-text prefer
    set flow reverse-route tunnel always
    set domain hsd1.fl.comcast.net.
    set dbuf usb filesize 0
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set dns host dns1 68.87.74.166 src-interface untrust
    set dns host dns2 68.87.68.166 src-interface untrust
    set address “Trust” “192.168.123.0/24” 192.168.123.0 255.255.255.0
    set address “Trust” “192.168.124.0/24” 192.168.124.0 255.255.255.0
    set address “Trust” “209.177.236.146/32” 209.177.236.146 255.255.255.255
    set address “Untrust” “192.168.125.0/24” 192.168.125.0 255.255.255.0
    set address “wireless2” “192.168.124.0/24” 192.168.124.0 255.255.255.0
    set user “Nhirsch” uid 2
    set user “Nhirsch” type ike
    set user “Nhirsch” "enable"
    set crypto-policy
    exit
    set ike gateway “Gateway for 192.168.124.0/24” address 207.239.157.98 id “NHA_SSG_520” Aggr local-id “hirsch-ns5gt” outgoing-interface “untrust” preshare “XXXXXXXXXXXXXXXXXXXXXXXX==” proposal “pre-g2-3des-sha” "pre-g2-aes128-sha"
    set ike gateway “Gateway for 192.168.124.0/24” nat-traversal
    set ike gateway “Gateway for 192.168.124.0/24” nat-traversal udp-checksum
    set ike gateway “Gateway for 192.168.124.0/24” nat-traversal keepalive-frequency 5
    set ike respond-bad-spi 1
    set ike ikev2 ike-sa-soft-lifetime 60
    unset ike ikeid-enumeration
    unset ike dos-protection
    unset ipsec access-session enable
    set ipsec access-session maximum 5000
    set ipsec access-session upper-threshold 0
    set ipsec access-session lower-threshold 0
    set ipsec access-session dead-p2-sa-timeout 0
    unset ipsec access-session log-error
    unset ipsec access-session info-exch-connected
    unset ipsec access-session use-error-log
    set vpn “VPN for 192.168.125.0/24” gateway “Gateway for 192.168.124.0/24” replay tunnel idletime 0 sec-level compatible
    set vpn “VPN for 192.168.125.0/24” monitor
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit
    set url protocol websense
    exit
    set anti-spam profile ns-profile
    set sbl default-server enable
    exit
    set vpn “VPN for 192.168.125.0/24” proxy-id local-ip 192.168.124.0/24 remote-ip 192.168.125.0/24 "ANY"
    set policy id 20 name “vpn nhirsch” from “Trust” to “Untrust”  “192.168.124.0/24” “192.168.125.0/24” “ANY” tunnel vpn “VPN for 192.168.125.0/24” id 0x1 pair-policy 21
    set policy id 20
    exit
    set policy id 21 name “vpn nhirsch” from “Untrust” to “Trust”  “192.168.125.0/24” “192.168.124.0/24” “ANY” tunnel vpn “VPN for 192.168.125.0/24” id 0x1 pair-policy 20
    set policy id 21
    exit
    set policy id 25 name “wireless 2” from “Trust” to “Untrust”  “192.168.123.0/24” “Any” “ANY” permit
    set policy id 25
    exit
    set policy id 1 from “Trust” to “Untrust”  “Any” “Any” “ANY” permit
    set policy id 1
    exit
    set policy id 23 name “Avaya” from “Untrust” to “Trust”  “192.168.125.0/24” “192.168.124.0/24” “ANY” permit log
    set policy id 23 disable
    set policy id 23
    exit
    set policy id 24 name “wireless policy route?” from “Trust” to “Trust”  “192.168.123.0/24” “192.168.124.0/24” “ANY” permit
    set policy id 24
    exit
    set nsmgmt bulkcli reboot-timeout 60
    set ssh version v2
    set config lock timeout 5
    unset license-key auto-update
    set ntp server "server 0.north-america.pool.ntp.org"
    set ntp server backup1 "server 1.north-america.pool.ntp.org"
    set ntp server backup2 "0.0.0.0server 2.north-america.pool.ntp.org"
    set modem speed 115200
    set modem retry 3
    set modem interval 10
    set modem idle-time 10
    set wlan channel auto
    set wlan advanced cts-type cts-rts
    set ssid name CCove422
    set ssid CCove422 authentication wpa-psk passphrase XXXXXXXXXXXXXXXXXXXXXXXXXXXX== encryption auto
    set ssid CCove422 interface wireless2
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    set router-id 192.168.0.0
    exit
    set vrouter "trust-vr"
    unset add-default-route
    set route 192.168.123.0/24 interface trust
    set route 192.168.123.0/0 vrouter “untrust-vr” preference 20 metric 1
    exit
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit

    The wireless2 and LAN are both set to NAT, so I am not sure if one or both need to be in route mode. If they need to be in route mode, then I need to know what routes must be setup to allow them to see each other and access the Internet.

    BIG thanks in advance…



  • Can anyone here give me some guidance please?


 

40
Online

38.5k
Users

12.7k
Topics

44.5k
Posts